housekeeping: linter

Reviewed-on: #24

IMPLEMENTATION.md

@@ -27,6 +27,82 @@ This document covers concrete technology choices and dependencies. For the archi
 
 ---
 
+## EVM Policy Engine
+
+### Overview
+
+The EVM engine classifies incoming transactions, enforces grant constraints, and records executions. It is the sole path through which a wallet key is used for signing.
+
+The central abstraction is the `Policy` trait. Each implementation handles one semantic transaction category and owns its own database tables for grant storage and transaction logging.
+
+### Transaction Evaluation Flow
+
+`Engine::evaluate_transaction` runs the following steps in order:
+
+1. **Classify** — Each registered policy's `analyze(context)` inspects the transaction fields (`chain`, `to`, `value`, `calldata`). The first one returning `Some(meaning)` wins. If none match, the transaction is rejected as `UnsupportedTransactionType`.
+2. **Find grant** — `Policy::try_find_grant` queries for a non-revoked grant covering this wallet, client, chain, and target address.
+3. **Check shared constraints** — `check_shared_constraints` runs in the engine before any policy-specific logic. It enforces the validity window, gas fee caps, and transaction count rate limit (see below).
+4. **Evaluate** — `Policy::evaluate` checks the decoded meaning against the grant's policy-specific constraints and returns any violations.
+5. **Record** — If `RunKind::Execution` and there are no violations, the engine writes to `evm_transaction_log` and calls `Policy::record_transaction` for any policy-specific logging (e.g., token transfer volume).
+
+### Policy Trait
+
+| Method | Purpose |
+|---|---|
+| `analyze` | Pure — classifies a transaction into a typed `Meaning`, or `None` if this policy doesn't apply |
+| `evaluate` | Checks the `Meaning` against a `Grant`; returns a list of `EvalViolation`s |
+| `create_grant` | Inserts policy-specific rows; returns the specific grant ID |
+| `try_find_grant` | Finds a matching non-revoked grant for the given `EvalContext` |
+| `find_all_grants` | Returns all non-revoked grants (used for listing) |
+| `record_transaction` | Persists policy-specific data after execution |
+
+`analyze` and `evaluate` are intentionally separate: classification is pure and cheap, while evaluation may involve DB queries (e.g., fetching past transfer volume).
+
+### Registered Policies
+
+**EtherTransfer** — plain ETH transfers (empty calldata)
+
+- Grant requires: allowlist of recipient addresses + one volumetric rate limit (max ETH over a time window)
+- Violations: recipient not in allowlist, cumulative ETH volume exceeded
+
+**TokenTransfer** — ERC-20 `transfer(address,uint256)` calls
+
+- Recognised by ABI-decoding the `transfer(address,uint256)` selector against a static registry of known token contracts (`arbiter_tokens_registry`)
+- Grant requires: token contract address, optional recipient restriction, zero or more volumetric rate limits
+- Violations: recipient mismatch, any volumetric limit exceeded
+
+### Grant Model
+
+Every grant has two layers:
+
+- **Shared (`evm_basic_grant`)** — wallet, chain, validity period, gas fee caps, transaction count rate limit. One row per grant regardless of type.
+- **Specific** — policy-owned tables (`evm_ether_transfer_grant`, `evm_token_transfer_grant`, etc.) holding type-specific configuration.
+
+`find_all_grants` uses a `#[diesel::auto_type]` base join between the specific and shared tables, then batch-loads related rows (targets, volume limits) in two additional queries to avoid N+1.
+
+The engine exposes `list_all_grants` which collects across all policy types into `Vec<Grant<SpecificGrant>>` via a blanket `From<Grant<S>> for Grant<SpecificGrant>` conversion.
+
+### Shared Constraints (enforced by the engine)
+
+These are checked centrally in `check_shared_constraints` before policy evaluation:
+
+| Constraint | Fields | Behaviour |
+|---|---|---|
+| Validity window | `valid_from`, `valid_until` | Emits `InvalidTime` if current time is outside the range |
+| Gas fee cap | `max_gas_fee_per_gas`, `max_priority_fee_per_gas` | Emits `GasLimitExceeded` if either cap is breached |
+| Tx count rate limit | `rate_limit` (`count` + `window`) | Counts rows in `evm_transaction_log` within the window; emits `RateLimitExceeded` if at or above the limit |
+
+---
+
+### Known Limitations
+
+- **Only EIP-1559 transactions are supported.** Legacy and EIP-2930 types are rejected outright.
+- **No opaque-calldata (unknown contract) grant type.** The architecture describes a category for unrecognised contracts, but no policy implements it yet. Any transaction that is not a plain ETH transfer or a known ERC-20 transfer is unconditionally rejected.
+- **Token registry is static.** Tokens are recognised only if they appear in the hard-coded `arbiter_tokens_registry` crate. There is no mechanism to register additional contracts at runtime.
+- **Nonce management is not implemented.** The architecture lists nonce deduplication as a core responsibility, but no nonce tracking or enforcement exists yet.
+
+---
+
 ## Memory Protection
 
 The unsealed root key must be held in a hardened memory cell resistant to dumps, page swaps, and hibernation.

app/.dart_tool/extension_discovery/README.md

@@ -0,0 +1,31 @@
+Extension Discovery Cache
+=========================
+
+This folder is used by `package:extension_discovery` to cache lists of
+packages that contains extensions for other packages.
+
+DO NOT USE THIS FOLDER
+----------------------
+
+ * Do not read (or rely) the contents of this folder.
+ * Do write to this folder.
+
+If you're interested in the lists of extensions stored in this folder use the
+API offered by package `extension_discovery` to get this information.
+
+If this package doesn't work for your use-case, then don't try to read the
+contents of this folder. It may change, and will not remain stable.
+
+Use package `extension_discovery`
+---------------------------------
+
+If you want to access information from this folder.
+
+Feel free to delete this folder
+-------------------------------
+
+Files in this folder act as a cache, and the cache is discarded if the files
+are older than the modification time of `.dart_tool/package_config.json`.
+
+Hence, it should never be necessary to clear this cache manually, if you find a
+need to do please file a bug.

app/.dart_tool/extension_discovery/vs_code.json

@@ -0,0 +1 @@
+{"version":2,"entries":[{"package":"app","rootUri":"../","packageUri":"lib/"}]}

app/.dart_tool/package_config.json

@@ -0,0 +1,178 @@
+{
+  "configVersion": 2,
+  "packages": [
+    {
+      "name": "async",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/async-2.13.0",
+      "packageUri": "lib/",
+      "languageVersion": "3.4"
+    },
+    {
+      "name": "boolean_selector",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/boolean_selector-2.1.2",
+      "packageUri": "lib/",
+      "languageVersion": "3.1"
+    },
+    {
+      "name": "characters",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/characters-1.4.0",
+      "packageUri": "lib/",
+      "languageVersion": "3.4"
+    },
+    {
+      "name": "clock",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/clock-1.1.2",
+      "packageUri": "lib/",
+      "languageVersion": "3.4"
+    },
+    {
+      "name": "collection",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/collection-1.19.1",
+      "packageUri": "lib/",
+      "languageVersion": "3.4"
+    },
+    {
+      "name": "cupertino_icons",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/cupertino_icons-1.0.8",
+      "packageUri": "lib/",
+      "languageVersion": "3.1"
+    },
+    {
+      "name": "fake_async",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/fake_async-1.3.3",
+      "packageUri": "lib/",
+      "languageVersion": "3.3"
+    },
+    {
+      "name": "flutter",
+      "rootUri": "file:///Users/kaska/.local/share/mise/installs/flutter/3.38.9-stable/packages/flutter",
+      "packageUri": "lib/",
+      "languageVersion": "3.8"
+    },
+    {
+      "name": "flutter_lints",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/flutter_lints-6.0.0",
+      "packageUri": "lib/",
+      "languageVersion": "3.8"
+    },
+    {
+      "name": "flutter_test",
+      "rootUri": "file:///Users/kaska/.local/share/mise/installs/flutter/3.38.9-stable/packages/flutter_test",
+      "packageUri": "lib/",
+      "languageVersion": "3.8"
+    },
+    {
+      "name": "leak_tracker",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/leak_tracker-11.0.2",
+      "packageUri": "lib/",
+      "languageVersion": "3.2"
+    },
+    {
+      "name": "leak_tracker_flutter_testing",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/leak_tracker_flutter_testing-3.0.10",
+      "packageUri": "lib/",
+      "languageVersion": "3.2"
+    },
+    {
+      "name": "leak_tracker_testing",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/leak_tracker_testing-3.0.2",
+      "packageUri": "lib/",
+      "languageVersion": "3.2"
+    },
+    {
+      "name": "lints",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/lints-6.1.0",
+      "packageUri": "lib/",
+      "languageVersion": "3.8"
+    },
+    {
+      "name": "matcher",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/matcher-0.12.17",
+      "packageUri": "lib/",
+      "languageVersion": "3.4"
+    },
+    {
+      "name": "material_color_utilities",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/material_color_utilities-0.11.1",
+      "packageUri": "lib/",
+      "languageVersion": "2.17"
+    },
+    {
+      "name": "meta",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/meta-1.17.0",
+      "packageUri": "lib/",
+      "languageVersion": "3.5"
+    },
+    {
+      "name": "path",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/path-1.9.1",
+      "packageUri": "lib/",
+      "languageVersion": "3.4"
+    },
+    {
+      "name": "sky_engine",
+      "rootUri": "file:///Users/kaska/.local/share/mise/installs/flutter/3.38.9-stable/bin/cache/pkg/sky_engine",
+      "packageUri": "lib/",
+      "languageVersion": "3.8"
+    },
+    {
+      "name": "source_span",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/source_span-1.10.2",
+      "packageUri": "lib/",
+      "languageVersion": "3.1"
+    },
+    {
+      "name": "stack_trace",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/stack_trace-1.12.1",
+      "packageUri": "lib/",
+      "languageVersion": "3.4"
+    },
+    {
+      "name": "stream_channel",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/stream_channel-2.1.4",
+      "packageUri": "lib/",
+      "languageVersion": "3.3"
+    },
+    {
+      "name": "string_scanner",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/string_scanner-1.4.1",
+      "packageUri": "lib/",
+      "languageVersion": "3.1"
+    },
+    {
+      "name": "term_glyph",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/term_glyph-1.2.2",
+      "packageUri": "lib/",
+      "languageVersion": "3.1"
+    },
+    {
+      "name": "test_api",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/test_api-0.7.7",
+      "packageUri": "lib/",
+      "languageVersion": "3.5"
+    },
+    {
+      "name": "vector_math",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/vector_math-2.2.0",
+      "packageUri": "lib/",
+      "languageVersion": "3.1"
+    },
+    {
+      "name": "vm_service",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/vm_service-15.0.2",
+      "packageUri": "lib/",
+      "languageVersion": "3.5"
+    },
+    {
+      "name": "app",
+      "rootUri": "../",
+      "packageUri": "lib/",
+      "languageVersion": "3.10"
+    }
+  ],
+  "generator": "pub",
+  "generatorVersion": "3.10.8",
+  "flutterRoot": "file:///Users/kaska/.local/share/mise/installs/flutter/3.38.9-stable",
+  "flutterVersion": "3.38.9",
+  "pubCache": "file:///Users/kaska/.pub-cache"
+}

app/.dart_tool/package_graph.json

@@ -0,0 +1,230 @@
+{
+  "roots": [
+    "app"
+  ],
+  "packages": [
+    {
+      "name": "app",
+      "version": "1.0.0+1",
+      "dependencies": [
+        "cupertino_icons",
+        "flutter"
+      ],
+      "devDependencies": [
+        "flutter_lints",
+        "flutter_test"
+      ]
+    },
+    {
+      "name": "flutter_lints",
+      "version": "6.0.0",
+      "dependencies": [
+        "lints"
+      ]
+    },
+    {
+      "name": "flutter_test",
+      "version": "0.0.0",
+      "dependencies": [
+        "clock",
+        "collection",
+        "fake_async",
+        "flutter",
+        "leak_tracker_flutter_testing",
+        "matcher",
+        "meta",
+        "path",
+        "stack_trace",
+        "stream_channel",
+        "test_api",
+        "vector_math"
+      ]
+    },
+    {
+      "name": "cupertino_icons",
+      "version": "1.0.8",
+      "dependencies": []
+    },
+    {
+      "name": "flutter",
+      "version": "0.0.0",
+      "dependencies": [
+        "characters",
+        "collection",
+        "material_color_utilities",
+        "meta",
+        "sky_engine",
+        "vector_math"
+      ]
+    },
+    {
+      "name": "lints",
+      "version": "6.1.0",
+      "dependencies": []
+    },
+    {
+      "name": "stream_channel",
+      "version": "2.1.4",
+      "dependencies": [
+        "async"
+      ]
+    },
+    {
+      "name": "meta",
+      "version": "1.17.0",
+      "dependencies": []
+    },
+    {
+      "name": "collection",
+      "version": "1.19.1",
+      "dependencies": []
+    },
+    {
+      "name": "leak_tracker_flutter_testing",
+      "version": "3.0.10",
+      "dependencies": [
+        "flutter",
+        "leak_tracker",
+        "leak_tracker_testing",
+        "matcher",
+        "meta"
+      ]
+    },
+    {
+      "name": "vector_math",
+      "version": "2.2.0",
+      "dependencies": []
+    },
+    {
+      "name": "stack_trace",
+      "version": "1.12.1",
+      "dependencies": [
+        "path"
+      ]
+    },
+    {
+      "name": "clock",
+      "version": "1.1.2",
+      "dependencies": []
+    },
+    {
+      "name": "fake_async",
+      "version": "1.3.3",
+      "dependencies": [
+        "clock",
+        "collection"
+      ]
+    },
+    {
+      "name": "path",
+      "version": "1.9.1",
+      "dependencies": []
+    },
+    {
+      "name": "matcher",
+      "version": "0.12.17",
+      "dependencies": [
+        "async",
+        "meta",
+        "stack_trace",
+        "term_glyph",
+        "test_api"
+      ]
+    },
+    {
+      "name": "test_api",
+      "version": "0.7.7",
+      "dependencies": [
+        "async",
+        "boolean_selector",
+        "collection",
+        "meta",
+        "source_span",
+        "stack_trace",
+        "stream_channel",
+        "string_scanner",
+        "term_glyph"
+      ]
+    },
+    {
+      "name": "sky_engine",
+      "version": "0.0.0",
+      "dependencies": []
+    },
+    {
+      "name": "material_color_utilities",
+      "version": "0.11.1",
+      "dependencies": [
+        "collection"
+      ]
+    },
+    {
+      "name": "characters",
+      "version": "1.4.0",
+      "dependencies": []
+    },
+    {
+      "name": "async",
+      "version": "2.13.0",
+      "dependencies": [
+        "collection",
+        "meta"
+      ]
+    },
+    {
+      "name": "leak_tracker_testing",
+      "version": "3.0.2",
+      "dependencies": [
+        "leak_tracker",
+        "matcher",
+        "meta"
+      ]
+    },
+    {
+      "name": "leak_tracker",
+      "version": "11.0.2",
+      "dependencies": [
+        "clock",
+        "collection",
+        "meta",
+        "path",
+        "vm_service"
+      ]
+    },
+    {
+      "name": "term_glyph",
+      "version": "1.2.2",
+      "dependencies": []
+    },
+    {
+      "name": "string_scanner",
+      "version": "1.4.1",
+      "dependencies": [
+        "source_span"
+      ]
+    },
+    {
+      "name": "source_span",
+      "version": "1.10.2",
+      "dependencies": [
+        "collection",
+        "path",
+        "term_glyph"
+      ]
+    },
+    {
+      "name": "boolean_selector",
+      "version": "2.1.2",
+      "dependencies": [
+        "source_span",
+        "string_scanner"
+      ]
+    },
+    {
+      "name": "vm_service",
+      "version": "15.0.2",
+      "dependencies": []
+    }
+  ],
+  "configVersion": 1
+}

app/.dart_tool/version

@@ -0,0 +1 @@
+3.38.9

app/macos/Flutter/ephemeral/Flutter-Generated.xcconfig

@@ -0,0 +1,11 @@
+// This is a generated file; do not edit or check into version control.
+FLUTTER_ROOT=/Users/kaska/.local/share/mise/installs/flutter/3.38.9-stable
+FLUTTER_APPLICATION_PATH=/Users/kaska/Documents/Projects/Major/arbiter/app
+COCOAPODS_PARALLEL_CODE_SIGN=true
+FLUTTER_BUILD_DIR=build
+FLUTTER_BUILD_NAME=1.0.0
+FLUTTER_BUILD_NUMBER=1
+DART_OBFUSCATION=false
+TRACK_WIDGET_CREATION=true
+TREE_SHAKE_ICONS=false
+PACKAGE_CONFIG=.dart_tool/package_config.json

app/macos/Flutter/ephemeral/flutter_export_environment.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+# This is a generated file; do not edit or check into version control.
+export "FLUTTER_ROOT=/Users/kaska/.local/share/mise/installs/flutter/3.38.9-stable"
+export "FLUTTER_APPLICATION_PATH=/Users/kaska/Documents/Projects/Major/arbiter/app"
+export "COCOAPODS_PARALLEL_CODE_SIGN=true"
+export "FLUTTER_BUILD_DIR=build"
+export "FLUTTER_BUILD_NAME=1.0.0"
+export "FLUTTER_BUILD_NUMBER=1"
+export "DART_OBFUSCATION=false"
+export "TRACK_WIDGET_CREATION=true"
+export "TREE_SHAKE_ICONS=false"
+export "PACKAGE_CONFIG=.dart_tool/package_config.json"

protobufs/client.proto

@@ -2,6 +2,8 @@ syntax = "proto3";
 
 package arbiter.client;
 
+import "evm.proto";
+
 message AuthChallengeRequest {
   bytes pubkey = 1;
 }
@@ -21,6 +23,8 @@ message ClientRequest {
   oneof payload {
     AuthChallengeRequest auth_challenge_request = 1;
     AuthChallengeSolution auth_challenge_solution = 2;
+    arbiter.evm.EvmSignTransactionRequest evm_sign_transaction = 3;
+    arbiter.evm.EvmAnalyzeTransactionRequest evm_analyze_transaction = 4;
   }
 }
 
@@ -28,5 +32,7 @@ message ClientResponse {
   oneof payload {
     AuthChallenge auth_challenge = 1;
     AuthOk auth_ok = 2;
+    arbiter.evm.EvmSignTransactionResponse evm_sign_transaction = 3;
+    arbiter.evm.EvmAnalyzeTransactionResponse evm_analyze_transaction = 4;
   }
 }

protobufs/evm.proto

@@ -2,6 +2,9 @@ syntax = "proto3";
 
 package arbiter.evm;
 
+import "google/protobuf/empty.proto";
+import "google/protobuf/timestamp.proto";
+
 enum EvmError {
   EVM_ERROR_UNSPECIFIED = 0;
   EVM_ERROR_VAULT_SEALED = 1;
@@ -29,3 +32,185 @@ message WalletListResponse {
     EvmError error = 2;
   }
 }
+
+// --- Grant types ---
+
+message TransactionRateLimit {
+  uint32 count = 1;
+  int64 window_secs = 2;
+}
+
+message VolumeRateLimit {
+  bytes max_volume = 1; // U256 as big-endian bytes
+  int64 window_secs = 2;
+}
+
+message SharedSettings {
+  int32 wallet_id = 1;
+  uint64 chain_id = 2;
+  optional google.protobuf.Timestamp valid_from = 3;
+  optional google.protobuf.Timestamp valid_until = 4;
+  optional bytes max_gas_fee_per_gas = 5; // U256 as big-endian bytes
+  optional bytes max_priority_fee_per_gas = 6; // U256 as big-endian bytes
+  optional TransactionRateLimit rate_limit = 7;
+}
+
+message EtherTransferSettings {
+  repeated bytes targets = 1; // list of 20-byte Ethereum addresses
+  VolumeRateLimit limit = 2;
+}
+
+message TokenTransferSettings {
+  bytes token_contract = 1; // 20-byte Ethereum address
+  optional bytes target = 2; // 20-byte Ethereum address; absent means any recipient allowed
+  repeated VolumeRateLimit volume_limits = 3;
+}
+
+message SpecificGrant {
+  oneof grant {
+    EtherTransferSettings ether_transfer = 1;
+    TokenTransferSettings token_transfer = 2;
+  }
+}
+
+message EtherTransferMeaning {
+  bytes to = 1; // 20-byte Ethereum address
+  bytes value = 2; // U256 as big-endian bytes
+}
+
+message TokenInfo {
+  string symbol = 1;
+  bytes address = 2; // 20-byte Ethereum address
+  uint64 chain_id = 3;
+}
+
+// Mirror of token_transfers::Meaning
+message TokenTransferMeaning {
+  TokenInfo token = 1;
+  bytes to = 2; // 20-byte Ethereum address
+  bytes value = 3; // U256 as big-endian bytes
+}
+
+// Mirror of policies::SpecificMeaning
+message SpecificMeaning {
+  oneof meaning {
+    EtherTransferMeaning ether_transfer = 1;
+    TokenTransferMeaning token_transfer = 2;
+  }
+}
+
+// --- Eval error types ---
+message GasLimitExceededViolation {
+  optional bytes max_gas_fee_per_gas = 1; // U256 as big-endian bytes
+  optional bytes max_priority_fee_per_gas = 2; // U256 as big-endian bytes
+}
+
+message EvalViolation {
+  oneof kind {
+    bytes invalid_target = 1; // 20-byte Ethereum address
+    GasLimitExceededViolation gas_limit_exceeded = 2;
+    google.protobuf.Empty rate_limit_exceeded = 3;
+    google.protobuf.Empty volumetric_limit_exceeded = 4;
+    google.protobuf.Empty invalid_time = 5;
+    google.protobuf.Empty invalid_transaction_type = 6;
+  }
+}
+
+// Transaction was classified but no grant covers it
+message NoMatchingGrantError {
+  SpecificMeaning meaning = 1;
+}
+
+// Transaction was classified and a grant was found, but constraints were violated
+message PolicyViolationsError {
+  SpecificMeaning meaning = 1;
+  repeated EvalViolation violations = 2;
+}
+
+// top-level error returned when transaction evaluation fails
+message TransactionEvalError {
+  oneof kind {
+    google.protobuf.Empty contract_creation_not_supported = 1;
+    google.protobuf.Empty unsupported_transaction_type = 2;
+    NoMatchingGrantError no_matching_grant = 3;
+    PolicyViolationsError policy_violations = 4;
+  }
+}
+
+// --- UserAgent grant management ---
+message EvmGrantCreateRequest {
+  int32 client_id = 1;
+  SharedSettings shared = 2;
+  SpecificGrant specific = 3;
+}
+
+message EvmGrantCreateResponse {
+  oneof result {
+    int32 grant_id = 1;
+    EvmError error = 2;
+  }
+}
+
+message EvmGrantDeleteRequest {
+  int32 grant_id = 1;
+}
+
+message EvmGrantDeleteResponse {
+  oneof result {
+    google.protobuf.Empty ok = 1;
+    EvmError error = 2;
+  }
+}
+
+// Basic grant info returned in grant listings
+message GrantEntry {
+  int32 id = 1;
+  int32 client_id = 2;
+  SharedSettings shared = 3;
+  SpecificGrant specific = 4;
+}
+
+message EvmGrantListRequest {
+  optional int32 wallet_id = 1;
+}
+
+message EvmGrantListResponse {
+  oneof result {
+    EvmGrantList grants = 1;
+    EvmError error = 2;
+  }
+}
+
+message EvmGrantList {
+  repeated GrantEntry grants = 1;
+}
+
+// --- Client transaction operations ---
+
+message EvmSignTransactionRequest {
+  bytes wallet_address = 1; // 20-byte Ethereum address
+  bytes rlp_transaction = 2; // RLP-encoded EIP-1559 transaction (unsigned)
+}
+
+// oneof because signing and evaluation happen atomically — a signing failure
+// is always either an eval error or an internal error, never a partial success
+message EvmSignTransactionResponse {
+  oneof result {
+    bytes signature = 1; // 65-byte signature: r[32] || s[32] || v[1]
+    TransactionEvalError eval_error = 2;
+    EvmError error = 3;
+  }
+}
+
+message EvmAnalyzeTransactionRequest {
+  bytes wallet_address = 1; // 20-byte Ethereum address
+  bytes rlp_transaction = 2; // RLP-encoded EIP-1559 transaction
+}
+
+message EvmAnalyzeTransactionResponse {
+  oneof result {
+    SpecificMeaning meaning = 1;
+    TransactionEvalError eval_error = 2;
+    EvmError error = 3;
+  }
+}

protobufs/user_agent.proto

@@ -58,6 +58,9 @@ message UserAgentRequest {
     google.protobuf.Empty query_vault_state = 5;
     google.protobuf.Empty evm_wallet_create = 6;
     google.protobuf.Empty evm_wallet_list = 7;
+    arbiter.evm.EvmGrantCreateRequest evm_grant_create = 8;
+    arbiter.evm.EvmGrantDeleteRequest evm_grant_delete = 9;
+    arbiter.evm.EvmGrantListRequest evm_grant_list = 10;
   }
 }
 message UserAgentResponse {
@@ -69,5 +72,8 @@ message UserAgentResponse {
     VaultState vault_state = 5;
     arbiter.evm.WalletCreateResponse evm_wallet_create = 6;
     arbiter.evm.WalletListResponse evm_wallet_list = 7;
+    arbiter.evm.EvmGrantCreateResponse evm_grant_create = 8;
+    arbiter.evm.EvmGrantDeleteResponse evm_grant_delete = 9;
+    arbiter.evm.EvmGrantListResponse evm_grant_list = 10;
   }
 }

server/Cargo.lock

@@ -67,9 +67,9 @@ dependencies = [
 
 [[package]]
 name = "alloy-chains"
-version = "0.2.30"
+version = "0.2.31"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "90f374d3c6d729268bbe2d0e0ff992bb97898b2df756691a62ee1d5f0506bc39"
+checksum = "6d9d22005bf31b018f31ef9ecadb5d2c39cf4f6acc8db0456f72c815f3d7f757"
 dependencies = [
  "alloy-primitives",
  "num_enum",
@@ -634,13 +634,12 @@ dependencies = [
 
 [[package]]
 name = "alloy-trie"
-version = "0.9.4"
+version = "0.9.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4d7fd448ab0a017de542de1dcca7a58e7019fe0e7a34ed3f9543ebddf6aceffa"
+checksum = "3f14b5d9b2c2173980202c6ff470d96e7c5e202c65a9f67884ad565226df7fbb"
 dependencies = [
  "alloy-primitives",
  "alloy-rlp",
- "arrayvec",
  "derive_more",
  "nybbles",
  "serde",
@@ -687,9 +686,11 @@ dependencies = [
  "async-trait",
  "base64",
  "futures",
+ "hex",
  "kameo",
  "miette",
  "prost",
+ "prost-types",
  "rand 0.10.0",
  "rcgen",
  "rstest",
@@ -977,9 +978,6 @@ name = "arrayvec"
 version = "0.7.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7c02d123df017efcdfbd739ef81735b36c5ba83ec3c59c80a9d7ecc718f92e50"
-dependencies = [
- "serde",
-]
 
 [[package]]
 name = "asn1-rs"
@@ -2452,9 +2450,9 @@ checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9"
 
 [[package]]
 name = "hybrid-array"
-version = "0.4.7"
+version = "0.4.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e1b229d73f5803b562cc26e4da0396c8610a4ee209f4fac8fa4f8d709166dc45"
+checksum = "8655f91cd07f2b9d0c24137bd650fe69617773435ee5ec83022377777ce65ef1"
 dependencies = [
  "typenum",
 ]
@@ -2887,9 +2885,9 @@ checksum = "09edd9e8b54e49e587e4f6295a7d29c3ea94d469cb40ab8ca70b288248a81db2"
 
 [[package]]
 name = "libc"
-version = "0.2.182"
+version = "0.2.183"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6800badb6cb2082ffd7b6a67e6125bb39f18782f793520caee8cb8846be06112"
+checksum = "b5b646652bf6661599e1da8901b3b9522896f01e736bad5f723fe7a3a27f899d"
 
 [[package]]
 name = "libm"
@@ -3434,9 +3432,9 @@ dependencies = [
 
 [[package]]
 name = "proc-macro-crate"
-version = "3.4.0"
+version = "3.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "219cb19e96be00ab2e37d6e299658a0cfa83e52429179969b0f0121b4ac46983"
+checksum = "e67ba7e9b2b56446f1d419b1d807906278ffa1a658a8a5d8a39dcb1f5a78614f"
 dependencies = [
  "toml_edit",
 ]
@@ -3565,6 +3563,7 @@ version = "0.14.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8991c4cbdb8bc5b11f0b074ffe286c30e523de90fee5ba8132f1399f23cb3dd7"
 dependencies = [
+ "chrono",
  "prost",
 ]
 
@@ -3616,9 +3615,9 @@ dependencies = [
 
 [[package]]
 name = "quinn-proto"
-version = "0.11.13"
+version = "0.11.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f1906b49b0c3bc04b5fe5d86a77925ae6524a19b816ae38ce1e426255f1d8a31"
+checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098"
 dependencies = [
  "bytes",
  "getrandom 0.3.4",
@@ -4475,12 +4474,12 @@ dependencies = [
 
 [[package]]
 name = "socket2"
-version = "0.6.2"
+version = "0.6.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "86f4aa3ad99f2088c990dfa82d367e19cb29268ed67c574d10d0a4bfe71f07e0"
+checksum = "3a766e1110788c36f4fa1c2b71b387a7815aa65f88ce0229841826633d93723e"
 dependencies = [
  "libc",
- "windows-sys 0.60.2",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -4639,9 +4638,9 @@ checksum = "55937e1799185b12863d447f42597ed69d9928686b8d88a1df17376a097d8369"
 
 [[package]]
 name = "tempfile"
-version = "3.26.0"
+version = "3.27.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "82a72c767771b47409d2345987fda8628641887d5466101319899796367354a0"
+checksum = "32497e9a4c7b38532efcdebeef879707aa9f794296a4f0244f6f69e9bc8574bd"
 dependencies = [
  "fastrand",
  "getrandom 0.4.2",
@@ -4857,7 +4856,7 @@ checksum = "cf92845e79fc2e2def6a5d828f0801e29a2f8acc037becc5ab08595c7d5e9863"
 dependencies = [
  "serde_core",
  "serde_spanned",
- "toml_datetime",
+ "toml_datetime 0.7.5+spec-1.1.0",
  "toml_parser",
  "winnow",
 ]
@@ -4872,13 +4871,22 @@ dependencies = [
 ]
 
 [[package]]
-name = "toml_edit"
+name = "toml_datetime"
-version = "0.23.10+spec-1.0.0"
+version = "1.0.0+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "84c8b9f757e028cee9fa244aea147aab2a9ec09d5325a9b01e0a49730c2b5269"
+checksum = "32c2555c699578a4f59f0cc68e5116c8d7cabbd45e1409b989d4be085b53f13e"
+dependencies = [
+ "serde_core",
+]
+
+[[package]]
+name = "toml_edit"
+version = "0.25.4+spec-1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7193cbd0ce53dc966037f54351dbbcf0d5a642c7f0038c382ef9e677ce8c13f2"
 dependencies = [
  "indexmap 2.13.0",
- "toml_datetime",
+ "toml_datetime 1.0.0+spec-1.1.0",
  "toml_parser",
  "winnow",
 ]
@@ -5194,9 +5202,9 @@ checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"
 
 [[package]]
 name = "uuid"
-version = "1.21.0"
+version = "1.22.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b672338555252d43fd2240c714dc444b8c6fb0a5c5335e65a07bba7742735ddb"
+checksum = "a68d3c8f01c0cfa54a75291d83601161799e4a89a39e0929f4b0354d88757a37"
 dependencies = [
  "js-sys",
  "wasm-bindgen",
@@ -5646,9 +5654,9 @@ checksum = "d6bbff5f0aada427a1e5a6da5f1f98158182f26556f345ac9e04d36d0ebed650"
 
 [[package]]
 name = "winnow"
-version = "0.7.14"
+version = "0.7.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5a5364e9d77fcdeeaa6062ced926ee3381faa2ee02d3eb83a5c27a8825540829"
+checksum = "df79d97927682d2fd8adb29682d1140b343be4ac0f08fd68b7765d9c059d3945"
 dependencies = [
  "memchr",
 ]
@@ -5820,18 +5828,18 @@ dependencies = [
 
 [[package]]
 name = "zerocopy"
-version = "0.8.40"
+version = "0.8.42"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a789c6e490b576db9f7e6b6d661bcc9799f7c0ac8352f56ea20193b2681532e5"
+checksum = "f2578b716f8a7a858b7f02d5bd870c14bf4ddbbcf3a4c05414ba6503640505e3"
 dependencies = [
  "zerocopy-derive",
 ]
 
 [[package]]
 name = "zerocopy-derive"
-version = "0.8.40"
+version = "0.8.42"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f65c489a7071a749c849713807783f70672b28094011623e200cb86dcb835953"
+checksum = "7e6cc098ea4d3bd6246687de65af3f920c430e236bee1e3bf2e441463f08a02f"
 dependencies = [
  "proc-macro2",
  "quote",

server/Cargo.toml

@@ -25,6 +25,7 @@ async-trait = "0.1.89"
 futures = "0.3.31"
 tokio-stream = { version = "0.1.18", features = ["full"] }
 kameo = "0.19.2"
+prost-types = { version = "0.14.3", features = ["chrono"] }
 x25519-dalek = { version = "2.0.1", features = ["getrandom"] }
 rstest = "0.26.1"
 rustls-pki-types = "1.14.0"

server/crates/arbiter-proto/Cargo.toml

@@ -9,6 +9,7 @@ license = "Apache-2.0"
 tonic.workspace = true
 tokio.workspace = true
 futures.workspace = true
+hex = "0.4.3"
 tonic-prost = "0.14.3"
 prost = "0.14.3"
 kameo.workspace = true
@@ -17,6 +18,7 @@ miette.workspace = true
 thiserror.workspace = true
 rustls-pki-types.workspace = true
 base64 = "0.22.1"
+prost-types.workspace = true
 tracing.workspace = true
 async-trait.workspace = true
 

server/crates/arbiter-server/src/actors/client/auth/mod.rs

@@ -51,6 +51,7 @@ fn parse_auth_event(payload: ClientRequestPayload) -> Result<AuthEvents, Error>
                 solution: signature,
             }))
         }
+        _ => Err(Error::UnexpectedMessagePayload) ,
     }
 }
 

server/crates/arbiter-server/src/db/models.rs

@@ -21,7 +21,7 @@ pub mod types {
     };
 
     #[derive(Debug, FromSqlRow, AsExpression)]
-    #[sql_type = "Integer"]
+    #[diesel(sql_type = Integer)]
     #[repr(transparent)] // hint compiler to optimize the wrapper struct away
     pub struct SqliteTimestamp(pub DateTime<Utc>);
     impl SqliteTimestamp {
@@ -56,7 +56,7 @@ pub mod types {
         fn from_sql(
             mut bytes: <Sqlite as diesel::backend::Backend>::RawValue<'_>,
         ) -> diesel::deserialize::Result<Self> {
-            let Some(SqliteType::Integer) = bytes.value_type() else {
+            let Some(SqliteType::Long) = bytes.value_type() else {
                 return Err(format!(
                     "Expected Integer type for SqliteTimestamp, got {:?}",
                     bytes.value_type()
@@ -64,8 +64,8 @@ pub mod types {
                 .into());
             };
 
-            let unix_timestamp = bytes.read_integer();
+            let unix_timestamp = bytes.read_long();
-            let datetime = DateTime::from_timestamp(unix_timestamp as i64, 0)
+            let datetime = DateTime::from_timestamp(unix_timestamp, 0)
                 .ok_or("Timestamp is out of bounds")?;
 
             Ok(SqliteTimestamp(datetime))

server/crates/arbiter-server/src/evm/mod.rs

@@ -1,23 +1,24 @@
 pub mod abi;
 pub mod safe_signer;
 
-use alloy::{consensus::TxEip1559, primitives::TxKind, signers::Signature};
+use alloy::{
+    consensus::TxEip1559,
+    primitives::{TxKind, U256},
+};
 use chrono::Utc;
-use diesel::{QueryResult, insert_into};
+use diesel::{ExpressionMethods as _, QueryDsl, QueryResult, insert_into, sqlite::Sqlite};
 use diesel_async::{AsyncConnection, RunQueryDsl};
 
 use crate::{
     db::{
         self,
-        models::{
+        models::{EvmBasicGrant, NewEvmBasicGrant, NewEvmTransactionLog, SqliteTimestamp},
-            EvmBasicGrant, EvmTransactionLog, NewEvmBasicGrant, NewEvmTransactionLog,
-            SqliteTimestamp,
-        },
         schema::{self, evm_transaction_log},
     },
     evm::policies::{
-        EvalContext, EvalViolation, FullGrant, Policy, SpecificMeaning,
+        DatabaseID, EvalContext, EvalViolation, FullGrant, Grant, Policy, SharedGrantSettings,
-        ether_transfer::EtherTransfer, token_transfers::TokenTransfer,
+        SpecificGrant, SpecificMeaning, ether_transfer::EtherTransfer,
+        token_transfers::TokenTransfer,
     },
 };
 
@@ -54,7 +55,6 @@ pub enum VetError {
     Evaluated(SpecificMeaning, #[source] PolicyError),
 }
 
-
 #[derive(Debug, thiserror::Error, miette::Diagnostic)]
 pub enum SignError {
     #[error("Database connection pool error")]
@@ -87,6 +87,17 @@ pub enum CreationError {
     Database(#[from] diesel::result::Error),
 }
 
+#[derive(Debug, thiserror::Error, miette::Diagnostic)]
+pub enum ListGrantsError {
+    #[error("Database connection pool error")]
+    #[diagnostic(code(arbiter_server::evm::list_grants_error::pool))]
+    Pool(#[from] db::PoolError),
+
+    #[error("Database returned error")]
+    #[diagnostic(code(arbiter_server::evm::list_grants_error::database))]
+    Database(#[from] diesel::result::Error),
+}
+
 /// Controls whether a transaction should be executed or only validated
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub enum RunKind {
@@ -96,6 +107,53 @@ pub enum RunKind {
     CheckOnly,
 }
 
+async fn check_shared_constraints(
+    context: &EvalContext,
+    shared: &SharedGrantSettings,
+    shared_grant_id: DatabaseID,
+    conn: &mut impl AsyncConnection<Backend = Sqlite>,
+) -> QueryResult<Vec<EvalViolation>> {
+    let mut violations = Vec::new();
+    let now = Utc::now();
+
+    // Validity window
+    if shared.valid_from.map_or(false, |t| now < t) || shared.valid_until.map_or(false, |t| now > t)
+    {
+        violations.push(EvalViolation::InvalidTime);
+    }
+
+    // Gas fee caps
+    let fee_exceeded = shared
+        .max_gas_fee_per_gas
+        .map_or(false, |cap| U256::from(context.max_fee_per_gas) > cap);
+    let priority_exceeded = shared.max_priority_fee_per_gas.map_or(false, |cap| {
+        U256::from(context.max_priority_fee_per_gas) > cap
+    });
+    if fee_exceeded || priority_exceeded {
+        violations.push(EvalViolation::GasLimitExceeded {
+            max_gas_fee_per_gas: shared.max_gas_fee_per_gas,
+            max_priority_fee_per_gas: shared.max_priority_fee_per_gas,
+        });
+    }
+
+    // Transaction count rate limit
+    if let Some(rate_limit) = &shared.rate_limit {
+        let window_start = SqliteTimestamp(now - rate_limit.window);
+        let count: i64 = evm_transaction_log::table
+            .filter(evm_transaction_log::grant_id.eq(shared_grant_id))
+            .filter(evm_transaction_log::signed_at.ge(window_start))
+            .count()
+            .get_result(conn)
+            .await?;
+
+        if count >= rate_limit.count as i64 {
+            violations.push(EvalViolation::RateLimitExceeded);
+        }
+    }
+
+    Ok(violations)
+}
+
 // Supporting only EIP-1559 transactions for now, but we can easily extend this to support legacy transactions if needed
 pub struct Engine {
     db: db::DatabasePool,
@@ -114,7 +172,11 @@ impl Engine {
             .await?
             .ok_or(PolicyError::NoMatchingGrant)?;
 
-        let violations = P::evaluate(&context, meaning, &grant, &mut conn).await?;
+        let mut violations =
+            check_shared_constraints(&context, &grant.shared, grant.shared_grant_id, &mut conn)
+                .await?;
+        violations.extend(P::evaluate(&context, meaning, &grant, &mut conn).await?);
+
         if !violations.is_empty() {
             return Err(PolicyError::Violations(violations));
         } else if run_kind == RunKind::Execution {
@@ -201,6 +263,37 @@ impl Engine {
         Ok(id)
     }
 
+    pub async fn list_all_grants(&self) -> Result<Vec<Grant<SpecificGrant>>, ListGrantsError> {
+        let mut conn = self.db.get().await?;
+
+        let mut grants: Vec<Grant<SpecificGrant>> = Vec::new();
+
+        grants.extend(
+            EtherTransfer::find_all_grants(&mut conn)
+                .await?
+                .into_iter()
+                .map(|g| Grant {
+                    id: g.id,
+                    shared_grant_id: g.shared_grant_id,
+                    shared: g.shared,
+                    settings: SpecificGrant::EtherTransfer(g.settings),
+                }),
+        );
+        grants.extend(
+            TokenTransfer::find_all_grants(&mut conn)
+                .await?
+                .into_iter()
+                .map(|g| Grant {
+                    id: g.id,
+                    shared_grant_id: g.shared_grant_id,
+                    shared: g.shared,
+                    settings: SpecificGrant::TokenTransfer(g.settings),
+                }),
+        );
+
+        Ok(grants)
+    }
+
     pub async fn evaluate_transaction(
         &self,
         wallet_id: i32,
@@ -215,9 +308,11 @@ impl Engine {
             wallet_id,
             client_id,
             chain: transaction.chain_id,
-            to: to,
+            to,
             value: transaction.value,
             calldata: transaction.input.clone(),
+            max_fee_per_gas: transaction.max_fee_per_gas,
+            max_priority_fee_per_gas: transaction.max_priority_fee_per_gas,
         };
 
         if let Some(meaning) = EtherTransfer::analyze(&context) {

server/crates/arbiter-server/src/evm/policies.rs

@@ -17,6 +17,7 @@ use crate::{
 pub mod ether_transfer;
 pub mod token_transfers;
 
+#[derive(Debug, Clone)]
 pub struct EvalContext {
     // Which wallet is this transaction for
     pub client_id: i32,
@@ -27,6 +28,10 @@ pub struct EvalContext {
     pub to: Address,
     pub value: U256,
     pub calldata: Bytes,
+
+    // Gas pricing (EIP-1559)
+    pub max_fee_per_gas: u128,
+    pub max_priority_fee_per_gas: u128,
 }
 
 #[derive(Debug, Error, Diagnostic)]
@@ -68,6 +73,7 @@ pub struct Grant<PolicySettings> {
     pub settings: PolicySettings,
 }
 
+
 pub trait Policy: Sized {
     type Settings: Send + Sync + 'static + Into<SpecificGrant>;
     type Meaning: Display + std::fmt::Debug + Send + Sync + 'static + Into<SpecificMeaning>;
@@ -97,6 +103,11 @@ pub trait Policy: Sized {
         conn: &mut impl AsyncConnection<Backend = Sqlite>,
     ) -> impl Future<Output = QueryResult<Option<Grant<Self::Settings>>>> + Send;
 
+    // Return all non-revoked grants, eagerly loading policy-specific settings
+    fn find_all_grants(
+        conn: &mut impl AsyncConnection<Backend = Sqlite>,
+    ) -> impl Future<Output = QueryResult<Vec<Grant<Self::Settings>>>> + Send;
+
     // Records, updates or deletes rate limits
     // In other words, records grant-specific things after transaction is executed
     fn record_transaction(

server/crates/arbiter-server/src/evm/policies/ether_transfer/mod.rs

@@ -1,8 +1,9 @@
+use std::collections::HashMap;
 use std::fmt::Display;
 
 use alloy::primitives::{Address, U256};
 use chrono::{DateTime, Duration, Utc};
-use diesel::dsl::insert_into;
+use diesel::dsl::{auto_type, insert_into};
 use diesel::sqlite::Sqlite;
 use diesel::{ExpressionMethods, JoinOnDsl, prelude::*};
 use diesel_async::{AsyncConnection, RunQueryDsl};
@@ -11,7 +12,7 @@ use crate::db::models::{
     EvmBasicGrant, EvmEtherTransferGrant, EvmEtherTransferGrantTarget, EvmEtherTransferLimit,
     NewEvmEtherTransferLimit, SqliteTimestamp,
 };
-use crate::db::schema::{evm_ether_transfer_limit, evm_transaction_log};
+use crate::db::schema::{evm_basic_grant, evm_ether_transfer_limit, evm_transaction_log};
 use crate::evm::policies::{
     Grant, SharedGrantSettings, SpecificGrant, SpecificMeaning, VolumeRateLimit,
 };
@@ -23,6 +24,13 @@ use crate::{
     evm::{policies::Policy, utils},
 };
 
+#[auto_type]
+fn grant_join() -> _ {
+    evm_ether_transfer_grant::table.inner_join(
+        evm_basic_grant::table.on(evm_ether_transfer_grant::basic_grant_id.eq(evm_basic_grant::id)),
+    )
+}
+
 use super::{DatabaseID, EvalContext, EvalViolation};
 
 // Plain ether transfer
@@ -183,27 +191,21 @@ impl Policy for EtherTransfer {
         context: &EvalContext,
         conn: &mut impl AsyncConnection<Backend = Sqlite>,
     ) -> diesel::result::QueryResult<Option<Grant<Self::Settings>>> {
-        use crate::db::schema::{
-            evm_basic_grant, evm_ether_transfer_grant, evm_ether_transfer_grant_target,
-        };
-
         let target_bytes = context.to.to_vec();
 
         // Find a grant where:
         // 1. The basic grant's wallet_id and client_id match the context
         // 2. Any of the grant's targets match the context's `to` address
         let grant: Option<(EvmBasicGrant, EvmEtherTransferGrant)> = evm_ether_transfer_grant::table
-            .inner_join(
+            .inner_join(evm_basic_grant::table)
-                evm_basic_grant::table
+            .inner_join(evm_ether_transfer_grant_target::table)
-                    .on(evm_ether_transfer_grant::basic_grant_id.eq(evm_basic_grant::id)),
+            .filter(
+                evm_basic_grant::wallet_id
+                    .eq(context.wallet_id)
+                    .and(evm_basic_grant::client_id.eq(context.client_id))
+                    .and(evm_basic_grant::revoked_at.is_null())
+                    .and(evm_ether_transfer_grant_target::address.eq(&target_bytes)),
             )
-            .inner_join(
-                evm_ether_transfer_grant_target::table
-                    .on(evm_ether_transfer_grant::id.eq(evm_ether_transfer_grant_target::grant_id)),
-            )
-            .filter(evm_basic_grant::wallet_id.eq(context.wallet_id))
-            .filter(evm_basic_grant::client_id.eq(context.client_id))
-            .filter(evm_ether_transfer_grant_target::address.eq(&target_bytes))
             .select((
                 EvmBasicGrant::as_select(),
                 EvmEtherTransferGrant::as_select(),
@@ -266,4 +268,85 @@ impl Policy for EtherTransfer {
 
         Ok(())
     }
+
+    async fn find_all_grants(
+        conn: &mut impl AsyncConnection<Backend = Sqlite>,
+    ) -> QueryResult<Vec<Grant<Self::Settings>>> {
+        let grants: Vec<(EvmBasicGrant, EvmEtherTransferGrant)> = grant_join()
+            .filter(evm_basic_grant::revoked_at.is_null())
+            .select((
+                EvmBasicGrant::as_select(),
+                EvmEtherTransferGrant::as_select(),
+            ))
+            .load(conn)
+            .await?;
+
+        if grants.is_empty() {
+            return Ok(Vec::new());
         }
+
+        let grant_ids: Vec<i32> = grants.iter().map(|(_, g)| g.id).collect();
+        let limit_ids: Vec<i32> = grants.iter().map(|(_, g)| g.limit_id).collect();
+
+        let all_targets: Vec<EvmEtherTransferGrantTarget> = evm_ether_transfer_grant_target::table
+            .filter(evm_ether_transfer_grant_target::grant_id.eq_any(&grant_ids))
+            .select(EvmEtherTransferGrantTarget::as_select())
+            .load(conn)
+            .await?;
+
+        let all_limits: Vec<EvmEtherTransferLimit> = evm_ether_transfer_limit::table
+            .filter(evm_ether_transfer_limit::id.eq_any(&limit_ids))
+            .select(EvmEtherTransferLimit::as_select())
+            .load(conn)
+            .await?;
+
+        let mut targets_by_grant: HashMap<i32, Vec<EvmEtherTransferGrantTarget>> = HashMap::new();
+        for target in all_targets {
+            targets_by_grant
+                .entry(target.grant_id)
+                .or_default()
+                .push(target);
+        }
+
+        let limits_by_id: HashMap<i32, EvmEtherTransferLimit> =
+            all_limits.into_iter().map(|l| (l.id, l)).collect();
+
+        grants
+            .into_iter()
+            .map(|(basic, specific)| {
+                let targets: Vec<Address> = targets_by_grant
+                    .get(&specific.id)
+                    .map(|v| v.as_slice())
+                    .unwrap_or_default()
+                    .iter()
+                    .filter_map(|t| {
+                        let arr: [u8; 20] = t.address.clone().try_into().ok()?;
+                        Some(Address::from(arr))
+                    })
+                    .collect();
+
+                let limit = limits_by_id
+                    .get(&specific.limit_id)
+                    .ok_or(diesel::result::Error::NotFound)?;
+
+                Ok(Grant {
+                    id: specific.id,
+                    shared_grant_id: specific.basic_grant_id,
+                    shared: SharedGrantSettings::try_from_model(basic)?,
+                    settings: Settings {
+                        target: targets,
+                        limit: VolumeRateLimit {
+                            max_volume: utils::try_bytes_to_u256(&limit.max_volume).map_err(
+                                |e| diesel::result::Error::DeserializationError(Box::new(e)),
+                            )?,
+                            window: Duration::seconds(limit.window_secs as i64),
+                        },
+                    },
+                })
+            })
+            .collect()
+    }
+}
+
+#[cfg(test)]
+mod tests;

server/crates/arbiter-server/src/evm/policies/ether_transfer/tests.rs

@@ -0,0 +1,387 @@
+use alloy::primitives::{Address, Bytes, U256, address};
+use chrono::{Duration, Utc};
+use diesel::{SelectableHelper, insert_into};
+use diesel_async::RunQueryDsl;
+
+use crate::db::{
+    self, DatabaseConnection,
+    models::{EvmBasicGrant, NewEvmBasicGrant, NewEvmTransactionLog, SqliteTimestamp},
+    schema::{evm_basic_grant, evm_transaction_log},
+};
+use crate::evm::{
+    policies::{
+        EvalContext, EvalViolation, Grant, Policy, SharedGrantSettings, VolumeRateLimit,
+    },
+    utils,
+};
+
+use super::{EtherTransfer, Settings};
+
+const WALLET_ID: i32 = 1;
+const CLIENT_ID: i32 = 2;
+const CHAIN_ID: u64 = 1;
+
+const ALLOWED: Address = address!("1111111111111111111111111111111111111111");
+const OTHER: Address = address!("2222222222222222222222222222222222222222");
+
+fn ctx(to: Address, value: U256) -> EvalContext {
+    EvalContext {
+        wallet_id: WALLET_ID,
+        client_id: CLIENT_ID,
+        chain: CHAIN_ID,
+        to,
+        value,
+        calldata: Bytes::new(),
+        max_fee_per_gas: 0,
+        max_priority_fee_per_gas: 0,
+    }
+}
+
+async fn insert_basic(conn: &mut DatabaseConnection, revoked: bool) -> EvmBasicGrant {
+    insert_into(evm_basic_grant::table)
+        .values(NewEvmBasicGrant {
+            wallet_id: WALLET_ID,
+            client_id: CLIENT_ID,
+            chain_id: CHAIN_ID as i32,
+            valid_from: None,
+            valid_until: None,
+            max_gas_fee_per_gas: None,
+            max_priority_fee_per_gas: None,
+            rate_limit_count: None,
+            rate_limit_window_secs: None,
+            revoked_at: revoked.then(|| SqliteTimestamp(Utc::now())),
+        })
+        .returning(EvmBasicGrant::as_select())
+        .get_result(conn)
+        .await
+        .unwrap()
+}
+
+fn make_settings(targets: Vec<Address>, max_volume: u64) -> Settings {
+    Settings {
+        target: targets,
+        limit: VolumeRateLimit {
+            max_volume: U256::from(max_volume),
+            window: Duration::hours(1),
+        },
+    }
+}
+
+fn shared() -> SharedGrantSettings {
+    SharedGrantSettings {
+        wallet_id: WALLET_ID,
+        chain: CHAIN_ID,
+        valid_from: None,
+        valid_until: None,
+        max_gas_fee_per_gas: None,
+        max_priority_fee_per_gas: None,
+        rate_limit: None,
+    }
+}
+
+// ── analyze ─────────────────────────────────────────────────────────────
+
+#[test]
+fn analyze_matches_empty_calldata() {
+    let m = EtherTransfer::analyze(&ctx(ALLOWED, U256::from(1_000u64))).unwrap();
+    assert_eq!(m.to, ALLOWED);
+    assert_eq!(m.value, U256::from(1_000u64));
+}
+
+#[test]
+fn analyze_rejects_nonempty_calldata() {
+    let context = EvalContext {
+        calldata: Bytes::from(vec![0xde, 0xad, 0xbe, 0xef]),
+        ..ctx(ALLOWED, U256::from(1u64))
+    };
+    assert!(EtherTransfer::analyze(&context).is_none());
+}
+
+// ── evaluate ────────────────────────────────────────────────────────────
+
+#[tokio::test]
+async fn evaluate_passes_for_allowed_target() {
+    let db = db::create_test_pool().await;
+    let mut conn = db.get().await.unwrap();
+
+    let grant = Grant {
+        id: 999,
+        shared_grant_id: 999,
+        shared: shared(),
+        settings: make_settings(vec![ALLOWED], 1_000_000),
+    };
+    let context = ctx(ALLOWED, U256::from(100u64));
+    let m = EtherTransfer::analyze(&context).unwrap();
+    let v = EtherTransfer::evaluate(&context, &m, &grant, &mut *conn)
+        .await
+        .unwrap();
+    assert!(v.is_empty());
+}
+
+#[tokio::test]
+async fn evaluate_rejects_disallowed_target() {
+    let db = db::create_test_pool().await;
+    let mut conn = db.get().await.unwrap();
+
+    let grant = Grant {
+        id: 999,
+        shared_grant_id: 999,
+        shared: shared(),
+        settings: make_settings(vec![ALLOWED], 1_000_000),
+    };
+    let context = ctx(OTHER, U256::from(100u64));
+    let m = EtherTransfer::analyze(&context).unwrap();
+    let v = EtherTransfer::evaluate(&context, &m, &grant, &mut *conn)
+        .await
+        .unwrap();
+    assert!(
+        v.iter()
+            .any(|e| matches!(e, EvalViolation::InvalidTarget { .. }))
+    );
+}
+
+#[tokio::test]
+async fn evaluate_passes_when_volume_within_limit() {
+    let db = db::create_test_pool().await;
+    let mut conn = db.get().await.unwrap();
+
+    let basic = insert_basic(&mut conn, false).await;
+    let settings = make_settings(vec![ALLOWED], 1_000);
+    let grant_id = EtherTransfer::create_grant(&basic, &settings, &mut *conn)
+        .await
+        .unwrap();
+
+    insert_into(evm_transaction_log::table)
+        .values(NewEvmTransactionLog {
+            grant_id,
+            client_id: CLIENT_ID,
+            wallet_id: WALLET_ID,
+            chain_id: CHAIN_ID as i32,
+            eth_value: utils::u256_to_bytes(U256::from(500u64)).to_vec(),
+            signed_at: SqliteTimestamp(Utc::now()),
+        })
+        .execute(&mut *conn)
+        .await
+        .unwrap();
+
+    let grant = Grant {
+        id: grant_id,
+        shared_grant_id: basic.id,
+        shared: shared(),
+        settings,
+    };
+    let context = ctx(ALLOWED, U256::from(100u64));
+    let m = EtherTransfer::analyze(&context).unwrap();
+    let v = EtherTransfer::evaluate(&context, &m, &grant, &mut *conn)
+        .await
+        .unwrap();
+    assert!(
+        !v.iter()
+            .any(|e| matches!(e, EvalViolation::VolumetricLimitExceeded))
+    );
+}
+
+#[tokio::test]
+async fn evaluate_rejects_volume_over_limit() {
+    let db = db::create_test_pool().await;
+    let mut conn = db.get().await.unwrap();
+
+    let basic = insert_basic(&mut conn, false).await;
+    let settings = make_settings(vec![ALLOWED], 1_000);
+    let grant_id = EtherTransfer::create_grant(&basic, &settings, &mut *conn)
+        .await
+        .unwrap();
+
+    insert_into(evm_transaction_log::table)
+        .values(NewEvmTransactionLog {
+            grant_id,
+            client_id: CLIENT_ID,
+            wallet_id: WALLET_ID,
+            chain_id: CHAIN_ID as i32,
+            eth_value: utils::u256_to_bytes(U256::from(1_001u64)).to_vec(),
+            signed_at: SqliteTimestamp(Utc::now()),
+        })
+        .execute(&mut *conn)
+        .await
+        .unwrap();
+
+    let grant = Grant {
+        id: grant_id,
+        shared_grant_id: basic.id,
+        shared: shared(),
+        settings,
+    };
+    let context = ctx(ALLOWED, U256::from(100u64));
+    let m = EtherTransfer::analyze(&context).unwrap();
+    let v = EtherTransfer::evaluate(&context, &m, &grant, &mut *conn)
+        .await
+        .unwrap();
+    assert!(
+        v.iter()
+            .any(|e| matches!(e, EvalViolation::VolumetricLimitExceeded))
+    );
+}
+
+#[tokio::test]
+async fn evaluate_passes_at_exactly_volume_limit() {
+    let db = db::create_test_pool().await;
+    let mut conn = db.get().await.unwrap();
+
+    let basic = insert_basic(&mut conn, false).await;
+    let settings = make_settings(vec![ALLOWED], 1_000);
+    let grant_id = EtherTransfer::create_grant(&basic, &settings, &mut *conn)
+        .await
+        .unwrap();
+
+    // Exactly at the limit — the check is `>`, so this should not violate
+    insert_into(evm_transaction_log::table)
+        .values(NewEvmTransactionLog {
+            grant_id,
+            client_id: CLIENT_ID,
+            wallet_id: WALLET_ID,
+            chain_id: CHAIN_ID as i32,
+            eth_value: utils::u256_to_bytes(U256::from(1_000u64)).to_vec(),
+            signed_at: SqliteTimestamp(Utc::now()),
+        })
+        .execute(&mut *conn)
+        .await
+        .unwrap();
+
+    let grant = Grant {
+        id: grant_id,
+        shared_grant_id: basic.id,
+        shared: shared(),
+        settings,
+    };
+    let context = ctx(ALLOWED, U256::from(100u64));
+    let m = EtherTransfer::analyze(&context).unwrap();
+    let v = EtherTransfer::evaluate(&context, &m, &grant, &mut *conn)
+        .await
+        .unwrap();
+    assert!(
+        !v.iter()
+            .any(|e| matches!(e, EvalViolation::VolumetricLimitExceeded))
+    );
+}
+
+// ── try_find_grant ───────────────────────────────────────────────────────
+
+#[tokio::test]
+async fn try_find_grant_roundtrip() {
+    let db = db::create_test_pool().await;
+    let mut conn = db.get().await.unwrap();
+
+    let basic = insert_basic(&mut conn, false).await;
+    let settings = make_settings(vec![ALLOWED], 1_000_000);
+    EtherTransfer::create_grant(&basic, &settings, &mut *conn)
+        .await
+        .unwrap();
+
+    let found = EtherTransfer::try_find_grant(&ctx(ALLOWED, U256::from(1u64)), &mut *conn)
+        .await
+        .unwrap();
+
+    assert!(found.is_some());
+    let g = found.unwrap();
+    assert_eq!(g.settings.target, vec![ALLOWED]);
+    assert_eq!(g.settings.limit.max_volume, U256::from(1_000_000u64));
+}
+
+#[tokio::test]
+async fn try_find_grant_revoked_returns_none() {
+    let db = db::create_test_pool().await;
+    let mut conn = db.get().await.unwrap();
+
+    let basic = insert_basic(&mut conn, true).await;
+    let settings = make_settings(vec![ALLOWED], 1_000_000);
+    EtherTransfer::create_grant(&basic, &settings, &mut *conn)
+        .await
+        .unwrap();
+
+    let found = EtherTransfer::try_find_grant(&ctx(ALLOWED, U256::from(1u64)), &mut *conn)
+        .await
+        .unwrap();
+    assert!(found.is_none());
+}
+
+#[tokio::test]
+async fn try_find_grant_wrong_target_returns_none() {
+    let db = db::create_test_pool().await;
+    let mut conn = db.get().await.unwrap();
+
+    let basic = insert_basic(&mut conn, false).await;
+    let settings = make_settings(vec![ALLOWED], 1_000_000);
+    EtherTransfer::create_grant(&basic, &settings, &mut *conn)
+        .await
+        .unwrap();
+
+    let found = EtherTransfer::try_find_grant(&ctx(OTHER, U256::from(1u64)), &mut *conn)
+        .await
+        .unwrap();
+    assert!(found.is_none());
+}
+
+// ── find_all_grants ──────────────────────────────────────────────────────
+
+#[tokio::test]
+async fn find_all_grants_empty_db() {
+    let db = db::create_test_pool().await;
+    let mut conn = db.get().await.unwrap();
+    let all = EtherTransfer::find_all_grants(&mut *conn).await.unwrap();
+    assert!(all.is_empty());
+}
+
+#[tokio::test]
+async fn find_all_grants_excludes_revoked() {
+    let db = db::create_test_pool().await;
+    let mut conn = db.get().await.unwrap();
+
+    let settings = make_settings(vec![ALLOWED], 1_000_000);
+    let active = insert_basic(&mut conn, false).await;
+    EtherTransfer::create_grant(&active, &settings, &mut *conn)
+        .await
+        .unwrap();
+    let revoked = insert_basic(&mut conn, true).await;
+    EtherTransfer::create_grant(&revoked, &settings, &mut *conn)
+        .await
+        .unwrap();
+
+    let all = EtherTransfer::find_all_grants(&mut *conn).await.unwrap();
+    assert_eq!(all.len(), 1);
+    assert_eq!(all[0].settings.target, vec![ALLOWED]);
+}
+
+#[tokio::test]
+async fn find_all_grants_multiple_targets() {
+    let db = db::create_test_pool().await;
+    let mut conn = db.get().await.unwrap();
+
+    let basic = insert_basic(&mut conn, false).await;
+    let settings = make_settings(vec![ALLOWED, OTHER], 1_000_000);
+    EtherTransfer::create_grant(&basic, &settings, &mut *conn)
+        .await
+        .unwrap();
+
+    let all = EtherTransfer::find_all_grants(&mut *conn).await.unwrap();
+    assert_eq!(all.len(), 1);
+    assert_eq!(all[0].settings.target.len(), 2);
+    assert_eq!(all[0].settings.limit.max_volume, U256::from(1_000_000u64));
+}
+
+#[tokio::test]
+async fn find_all_grants_multiple_grants() {
+    let db = db::create_test_pool().await;
+    let mut conn = db.get().await.unwrap();
+
+    let basic1 = insert_basic(&mut conn, false).await;
+    EtherTransfer::create_grant(&basic1, &make_settings(vec![ALLOWED], 500), &mut *conn)
+        .await
+        .unwrap();
+    let basic2 = insert_basic(&mut conn, false).await;
+    EtherTransfer::create_grant(&basic2, &make_settings(vec![OTHER], 1_000), &mut *conn)
+        .await
+        .unwrap();
+
+    let all = EtherTransfer::find_all_grants(&mut *conn).await.unwrap();
+    assert_eq!(all.len(), 2);
+}

server/crates/arbiter-server/src/evm/policies/token_transfers/mod.rs

@@ -1,10 +1,12 @@
+use std::collections::HashMap;
+
 use alloy::{
     primitives::{Address, U256},
     sol_types::SolCall,
 };
 use arbiter_tokens_registry::evm::nonfungible::{self, TokenInfo};
 use chrono::{DateTime, Duration, Utc};
-use diesel::dsl::insert_into;
+use diesel::dsl::{auto_type, insert_into};
 use diesel::sqlite::Sqlite;
 use diesel::{ExpressionMethods, prelude::*};
 use diesel_async::{AsyncConnection, RunQueryDsl};
@@ -14,16 +16,26 @@ use crate::db::models::{
     NewEvmTokenTransferLog, NewEvmTokenTransferVolumeLimit, SqliteTimestamp,
 };
 use crate::db::schema::{
-    evm_token_transfer_grant, evm_token_transfer_log, evm_token_transfer_volume_limit,
+    evm_basic_grant, evm_token_transfer_grant, evm_token_transfer_log,
+    evm_token_transfer_volume_limit,
 };
 use crate::evm::{
     abi::IERC20::transferCall,
-    policies::{Grant, Policy, SharedGrantSettings, SpecificGrant, SpecificMeaning, VolumeRateLimit},
+    policies::{
+        Grant, Policy, SharedGrantSettings, SpecificGrant, SpecificMeaning, VolumeRateLimit,
+    },
     utils,
 };
 
 use super::{DatabaseID, EvalContext, EvalViolation};
 
+#[auto_type]
+fn grant_join() -> _ {
+    evm_token_transfer_grant::table.inner_join(
+        evm_basic_grant::table.on(evm_token_transfer_grant::basic_grant_id.eq(evm_basic_grant::id)),
+    )
+}
+
 #[derive(Clone, Debug, PartialEq, Eq, Hash)]
 pub struct Meaning {
     token: &'static TokenInfo,
@@ -192,15 +204,10 @@ impl Policy for TokenTransfer {
         context: &EvalContext,
         conn: &mut impl AsyncConnection<Backend = Sqlite>,
     ) -> QueryResult<Option<Grant<Self::Settings>>> {
-        use crate::db::schema::{evm_basic_grant, evm_token_transfer_grant};
-
         let token_contract_bytes = context.to.to_vec();
 
-        let grant: Option<(EvmBasicGrant, EvmTokenTransferGrant)> = evm_token_transfer_grant::table
+        let grant: Option<(EvmBasicGrant, EvmTokenTransferGrant)> = grant_join()
-            .inner_join(
+            .filter(evm_basic_grant::revoked_at.is_null())
-                evm_basic_grant::table
-                    .on(evm_token_transfer_grant::basic_grant_id.eq(evm_basic_grant::id)),
-            )
             .filter(evm_basic_grant::wallet_id.eq(context.wallet_id))
             .filter(evm_basic_grant::client_id.eq(context.client_id))
             .filter(evm_token_transfer_grant::token_contract.eq(&token_contract_bytes))
@@ -288,4 +295,91 @@ impl Policy for TokenTransfer {
 
         Ok(())
     }
+
+    async fn find_all_grants(
+        conn: &mut impl AsyncConnection<Backend = Sqlite>,
+    ) -> QueryResult<Vec<Grant<Self::Settings>>> {
+        let grants: Vec<(EvmBasicGrant, EvmTokenTransferGrant)> = grant_join()
+            .filter(evm_basic_grant::revoked_at.is_null())
+            .select((
+                EvmBasicGrant::as_select(),
+                EvmTokenTransferGrant::as_select(),
+            ))
+            .load(conn)
+            .await?;
+
+        if grants.is_empty() {
+            return Ok(Vec::new());
         }
+
+        let grant_ids: Vec<i32> = grants.iter().map(|(_, g)| g.id).collect();
+
+        let all_volume_limits: Vec<EvmTokenTransferVolumeLimit> =
+            evm_token_transfer_volume_limit::table
+                .filter(evm_token_transfer_volume_limit::grant_id.eq_any(&grant_ids))
+                .select(EvmTokenTransferVolumeLimit::as_select())
+                .load(conn)
+                .await?;
+
+        let mut limits_by_grant: HashMap<i32, Vec<EvmTokenTransferVolumeLimit>> = HashMap::new();
+        for limit in all_volume_limits {
+            limits_by_grant
+                .entry(limit.grant_id)
+                .or_default()
+                .push(limit);
+        }
+
+        grants
+            .into_iter()
+            .map(|(basic, specific)| {
+                let volume_limits: Vec<VolumeRateLimit> = limits_by_grant
+                    .get(&specific.id)
+                    .map(|v| v.as_slice())
+                    .unwrap_or_default()
+                    .iter()
+                    .map(|row| {
+                        Ok(VolumeRateLimit {
+                            max_volume: utils::try_bytes_to_u256(&row.max_volume).map_err(|e| {
+                                diesel::result::Error::DeserializationError(Box::new(e))
+                            })?,
+                            window: Duration::seconds(row.window_secs as i64),
+                        })
+                    })
+                    .collect::<QueryResult<Vec<_>>>()?;
+
+                let token_contract: [u8; 20] =
+                    specific.token_contract.clone().try_into().map_err(|_| {
+                        diesel::result::Error::DeserializationError(
+                            "Invalid token contract address length".into(),
+                        )
+                    })?;
+
+                let target: Option<Address> = match &specific.receiver {
+                    None => None,
+                    Some(bytes) => {
+                        let arr: [u8; 20] = bytes.clone().try_into().map_err(|_| {
+                            diesel::result::Error::DeserializationError(
+                                "Invalid receiver address length".into(),
+                            )
+                        })?;
+                        Some(Address::from(arr))
+                    }
+                };
+
+                Ok(Grant {
+                    id: specific.id,
+                    shared_grant_id: specific.basic_grant_id,
+                    shared: SharedGrantSettings::try_from_model(basic)?,
+                    settings: Settings {
+                        token_contract: Address::from(token_contract),
+                        target,
+                        volume_limits,
+                    },
+                })
+            })
+            .collect()
+    }
+}
+
+#[cfg(test)]
+mod tests;

server/crates/arbiter-server/src/evm/policies/token_transfers/tests.rs

@@ -0,0 +1,397 @@
+use alloy::primitives::{Address, Bytes, U256, address};
+use alloy::sol_types::SolCall;
+use chrono::{Duration, Utc};
+use diesel::{SelectableHelper, insert_into};
+use diesel_async::RunQueryDsl;
+
+use crate::db::{
+    self, DatabaseConnection,
+    models::{EvmBasicGrant, NewEvmBasicGrant, SqliteTimestamp},
+    schema::evm_basic_grant,
+};
+use crate::evm::{
+    abi::IERC20::transferCall,
+    policies::{EvalContext, EvalViolation, Grant, Policy, SharedGrantSettings, VolumeRateLimit},
+    utils,
+};
+
+use super::{Settings, TokenTransfer};
+
+// DAI on Ethereum mainnet — present in the static token registry
+const CHAIN_ID: u64 = 1;
+const DAI: Address = address!("6B175474E89094C44Da98b954EedeAC495271d0F");
+
+const WALLET_ID: i32 = 1;
+const CLIENT_ID: i32 = 2;
+
+const RECIPIENT: Address = address!("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
+const OTHER: Address = address!("bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb");
+const UNKNOWN_TOKEN: Address = address!("cccccccccccccccccccccccccccccccccccccccc");
+
+/// Encode `transfer(to, value)` raw params (no 4-byte selector).
+/// `abi_decode_raw_validate` expects exactly this format.
+fn transfer_calldata(to: Address, value: U256) -> Bytes {
+    let mut raw = Vec::new();
+    transferCall { to, value }.abi_encode_raw(&mut raw);
+    Bytes::from(raw)
+}
+
+fn ctx(to: Address, calldata: Bytes) -> EvalContext {
+    EvalContext {
+        wallet_id: WALLET_ID,
+        client_id: CLIENT_ID,
+        chain: CHAIN_ID,
+        to,
+        value: U256::ZERO,
+        calldata,
+        max_fee_per_gas: 0,
+        max_priority_fee_per_gas: 0,
+    }
+}
+
+async fn insert_basic(conn: &mut DatabaseConnection, revoked: bool) -> EvmBasicGrant {
+    insert_into(evm_basic_grant::table)
+        .values(NewEvmBasicGrant {
+            wallet_id: WALLET_ID,
+            client_id: CLIENT_ID,
+            chain_id: CHAIN_ID as i32,
+            valid_from: None,
+            valid_until: None,
+            max_gas_fee_per_gas: None,
+            max_priority_fee_per_gas: None,
+            rate_limit_count: None,
+            rate_limit_window_secs: None,
+            revoked_at: revoked.then(|| SqliteTimestamp(Utc::now())),
+        })
+        .returning(EvmBasicGrant::as_select())
+        .get_result(conn)
+        .await
+        .unwrap()
+}
+
+fn make_settings(target: Option<Address>, max_volume: Option<u64>) -> Settings {
+    Settings {
+        token_contract: DAI,
+        target,
+        volume_limits: max_volume
+            .map(|v| {
+                vec![VolumeRateLimit {
+                    max_volume: U256::from(v),
+                    window: Duration::hours(1),
+                }]
+            })
+            .unwrap_or_default(),
+    }
+}
+
+fn shared() -> SharedGrantSettings {
+    SharedGrantSettings {
+        wallet_id: WALLET_ID,
+        chain: CHAIN_ID,
+        valid_from: None,
+        valid_until: None,
+        max_gas_fee_per_gas: None,
+        max_priority_fee_per_gas: None,
+        rate_limit: None,
+    }
+}
+
+// ── analyze ─────────────────────────────────────────────────────────────
+
+#[test]
+fn analyze_known_token_valid_calldata() {
+    let calldata = transfer_calldata(RECIPIENT, U256::from(100u64));
+    let m = TokenTransfer::analyze(&ctx(DAI, calldata)).unwrap();
+    assert_eq!(m.to, RECIPIENT);
+    assert_eq!(m.value, U256::from(100u64));
+}
+
+#[test]
+fn analyze_unknown_token_returns_none() {
+    let calldata = transfer_calldata(RECIPIENT, U256::from(100u64));
+    assert!(TokenTransfer::analyze(&ctx(UNKNOWN_TOKEN, calldata)).is_none());
+}
+
+#[test]
+fn analyze_invalid_calldata_returns_none() {
+    let calldata = Bytes::from(vec![0xde, 0xad, 0xbe, 0xef]);
+    assert!(TokenTransfer::analyze(&ctx(DAI, calldata)).is_none());
+}
+
+#[test]
+fn analyze_empty_calldata_returns_none() {
+    assert!(TokenTransfer::analyze(&ctx(DAI, Bytes::new())).is_none());
+}
+
+// ── evaluate ────────────────────────────────────────────────────────────
+
+#[tokio::test]
+async fn evaluate_rejects_nonzero_eth_value() {
+    let db = db::create_test_pool().await;
+    let mut conn = db.get().await.unwrap();
+
+    let grant = Grant {
+        id: 999,
+        shared_grant_id: 999,
+        shared: shared(),
+        settings: make_settings(None, None),
+    };
+    let calldata = transfer_calldata(RECIPIENT, U256::from(100u64));
+    let mut context = ctx(DAI, calldata);
+    context.value = U256::from(1u64); // ETH attached to an ERC-20 call
+
+    let m = TokenTransfer::analyze(&EvalContext { value: U256::ZERO, ..context.clone() })
+        .unwrap();
+    let v = TokenTransfer::evaluate(&context, &m, &grant, &mut *conn).await.unwrap();
+    assert!(v.iter().any(|e| matches!(e, EvalViolation::InvalidTransactionType)));
+}
+
+#[tokio::test]
+async fn evaluate_passes_any_recipient_when_no_restriction() {
+    let db = db::create_test_pool().await;
+    let mut conn = db.get().await.unwrap();
+
+    let grant = Grant {
+        id: 999,
+        shared_grant_id: 999,
+        shared: shared(),
+        settings: make_settings(None, None),
+    };
+    let calldata = transfer_calldata(RECIPIENT, U256::from(100u64));
+    let context = ctx(DAI, calldata);
+    let m = TokenTransfer::analyze(&context).unwrap();
+    let v = TokenTransfer::evaluate(&context, &m, &grant, &mut *conn).await.unwrap();
+    assert!(v.is_empty());
+}
+
+#[tokio::test]
+async fn evaluate_passes_matching_restricted_recipient() {
+    let db = db::create_test_pool().await;
+    let mut conn = db.get().await.unwrap();
+
+    let grant = Grant {
+        id: 999,
+        shared_grant_id: 999,
+        shared: shared(),
+        settings: make_settings(Some(RECIPIENT), None),
+    };
+    let calldata = transfer_calldata(RECIPIENT, U256::from(100u64));
+    let context = ctx(DAI, calldata);
+    let m = TokenTransfer::analyze(&context).unwrap();
+    let v = TokenTransfer::evaluate(&context, &m, &grant, &mut *conn).await.unwrap();
+    assert!(v.is_empty());
+}
+
+#[tokio::test]
+async fn evaluate_rejects_wrong_restricted_recipient() {
+    let db = db::create_test_pool().await;
+    let mut conn = db.get().await.unwrap();
+
+    let grant = Grant {
+        id: 999,
+        shared_grant_id: 999,
+        shared: shared(),
+        settings: make_settings(Some(RECIPIENT), None),
+    };
+    let calldata = transfer_calldata(OTHER, U256::from(100u64));
+    let context = ctx(DAI, calldata);
+    let m = TokenTransfer::analyze(&context).unwrap();
+    let v = TokenTransfer::evaluate(&context, &m, &grant, &mut *conn).await.unwrap();
+    assert!(v.iter().any(|e| matches!(e, EvalViolation::InvalidTarget { .. })));
+}
+
+#[tokio::test]
+async fn evaluate_passes_volume_within_limit() {
+    let db = db::create_test_pool().await;
+    let mut conn = db.get().await.unwrap();
+
+    let basic = insert_basic(&mut conn, false).await;
+    let settings = make_settings(None, Some(1_000));
+    let grant_id = TokenTransfer::create_grant(&basic, &settings, &mut *conn).await.unwrap();
+
+    // Record a past transfer of 500 (within 1000 limit)
+    use crate::db::{models::NewEvmTokenTransferLog, schema::evm_token_transfer_log};
+    insert_into(evm_token_transfer_log::table)
+        .values(NewEvmTokenTransferLog {
+            grant_id,
+            log_id: 0,
+            chain_id: CHAIN_ID as i32,
+            token_contract: DAI.to_vec(),
+            recipient_address: RECIPIENT.to_vec(),
+            value: utils::u256_to_bytes(U256::from(500u64)).to_vec(),
+        })
+        .execute(&mut *conn)
+        .await
+        .unwrap();
+
+    let grant = Grant { id: grant_id, shared_grant_id: basic.id, shared: shared(), settings };
+    let calldata = transfer_calldata(RECIPIENT, U256::from(100u64));
+    let context = ctx(DAI, calldata);
+    let m = TokenTransfer::analyze(&context).unwrap();
+    let v = TokenTransfer::evaluate(&context, &m, &grant, &mut *conn).await.unwrap();
+    assert!(!v.iter().any(|e| matches!(e, EvalViolation::VolumetricLimitExceeded)));
+}
+
+#[tokio::test]
+async fn evaluate_rejects_volume_over_limit() {
+    let db = db::create_test_pool().await;
+    let mut conn = db.get().await.unwrap();
+
+    let basic = insert_basic(&mut conn, false).await;
+    let settings = make_settings(None, Some(1_000));
+    let grant_id = TokenTransfer::create_grant(&basic, &settings, &mut *conn).await.unwrap();
+
+    use crate::db::{models::NewEvmTokenTransferLog, schema::evm_token_transfer_log};
+    insert_into(evm_token_transfer_log::table)
+        .values(NewEvmTokenTransferLog {
+            grant_id,
+            log_id: 0,
+            chain_id: CHAIN_ID as i32,
+            token_contract: DAI.to_vec(),
+            recipient_address: RECIPIENT.to_vec(),
+            value: utils::u256_to_bytes(U256::from(1_001u64)).to_vec(),
+        })
+        .execute(&mut *conn)
+        .await
+        .unwrap();
+
+    let grant = Grant { id: grant_id, shared_grant_id: basic.id, shared: shared(), settings };
+    let calldata = transfer_calldata(RECIPIENT, U256::from(100u64));
+    let context = ctx(DAI, calldata);
+    let m = TokenTransfer::analyze(&context).unwrap();
+    let v = TokenTransfer::evaluate(&context, &m, &grant, &mut *conn).await.unwrap();
+    assert!(v.iter().any(|e| matches!(e, EvalViolation::VolumetricLimitExceeded)));
+}
+
+#[tokio::test]
+async fn evaluate_no_volume_limits_always_passes() {
+    let db = db::create_test_pool().await;
+    let mut conn = db.get().await.unwrap();
+
+    let grant = Grant {
+        id: 999,
+        shared_grant_id: 999,
+        shared: shared(),
+        settings: make_settings(None, None), // no volume limits
+    };
+    let calldata = transfer_calldata(RECIPIENT, U256::from(u64::MAX));
+    let context = ctx(DAI, calldata);
+    let m = TokenTransfer::analyze(&context).unwrap();
+    let v = TokenTransfer::evaluate(&context, &m, &grant, &mut *conn).await.unwrap();
+    assert!(!v.iter().any(|e| matches!(e, EvalViolation::VolumetricLimitExceeded)));
+}
+
+// ── try_find_grant ───────────────────────────────────────────────────────
+
+#[tokio::test]
+async fn try_find_grant_roundtrip() {
+    let db = db::create_test_pool().await;
+    let mut conn = db.get().await.unwrap();
+
+    let basic = insert_basic(&mut conn, false).await;
+    let settings = make_settings(Some(RECIPIENT), Some(5_000));
+    TokenTransfer::create_grant(&basic, &settings, &mut *conn).await.unwrap();
+
+    let calldata = transfer_calldata(RECIPIENT, U256::from(100u64));
+    let found = TokenTransfer::try_find_grant(&ctx(DAI, calldata), &mut *conn)
+        .await
+        .unwrap();
+
+    assert!(found.is_some());
+    let g = found.unwrap();
+    assert_eq!(g.settings.token_contract, DAI);
+    assert_eq!(g.settings.target, Some(RECIPIENT));
+    assert_eq!(g.settings.volume_limits.len(), 1);
+    assert_eq!(g.settings.volume_limits[0].max_volume, U256::from(5_000u64));
+}
+
+#[tokio::test]
+async fn try_find_grant_revoked_returns_none() {
+    let db = db::create_test_pool().await;
+    let mut conn = db.get().await.unwrap();
+
+    let basic = insert_basic(&mut conn, true).await;
+    let settings = make_settings(None, None);
+    TokenTransfer::create_grant(&basic, &settings, &mut *conn).await.unwrap();
+
+    let calldata = transfer_calldata(RECIPIENT, U256::from(1u64));
+    let found = TokenTransfer::try_find_grant(&ctx(DAI, calldata), &mut *conn)
+        .await
+        .unwrap();
+    assert!(found.is_none());
+}
+
+#[tokio::test]
+async fn try_find_grant_unknown_token_returns_none() {
+    let db = db::create_test_pool().await;
+    let mut conn = db.get().await.unwrap();
+
+    let basic = insert_basic(&mut conn, false).await;
+    let settings = make_settings(None, None);
+    TokenTransfer::create_grant(&basic, &settings, &mut *conn).await.unwrap();
+
+    // Query with a different token contract
+    let calldata = transfer_calldata(RECIPIENT, U256::from(1u64));
+    let found = TokenTransfer::try_find_grant(&ctx(UNKNOWN_TOKEN, calldata), &mut *conn)
+        .await
+        .unwrap();
+    assert!(found.is_none());
+}
+
+// ── find_all_grants ──────────────────────────────────────────────────────
+
+#[tokio::test]
+async fn find_all_grants_empty_db() {
+    let db = db::create_test_pool().await;
+    let mut conn = db.get().await.unwrap();
+    let all = TokenTransfer::find_all_grants(&mut *conn).await.unwrap();
+    assert!(all.is_empty());
+}
+
+#[tokio::test]
+async fn find_all_grants_excludes_revoked() {
+    let db = db::create_test_pool().await;
+    let mut conn = db.get().await.unwrap();
+
+    let settings = make_settings(None, Some(1_000));
+    let active = insert_basic(&mut conn, false).await;
+    TokenTransfer::create_grant(&active, &settings, &mut *conn).await.unwrap();
+    let revoked = insert_basic(&mut conn, true).await;
+    TokenTransfer::create_grant(&revoked, &settings, &mut *conn).await.unwrap();
+
+    let all = TokenTransfer::find_all_grants(&mut *conn).await.unwrap();
+    assert_eq!(all.len(), 1);
+}
+
+#[tokio::test]
+async fn find_all_grants_loads_volume_limits() {
+    let db = db::create_test_pool().await;
+    let mut conn = db.get().await.unwrap();
+
+    let basic = insert_basic(&mut conn, false).await;
+    let settings = make_settings(None, Some(9_999));
+    TokenTransfer::create_grant(&basic, &settings, &mut *conn).await.unwrap();
+
+    let all = TokenTransfer::find_all_grants(&mut *conn).await.unwrap();
+    assert_eq!(all.len(), 1);
+    assert_eq!(all[0].settings.volume_limits.len(), 1);
+    assert_eq!(all[0].settings.volume_limits[0].max_volume, U256::from(9_999u64));
+}
+
+#[tokio::test]
+async fn find_all_grants_multiple_grants_batch_loaded() {
+    let db = db::create_test_pool().await;
+    let mut conn = db.get().await.unwrap();
+
+    let b1 = insert_basic(&mut conn, false).await;
+    TokenTransfer::create_grant(&b1, &make_settings(None, Some(1_000)), &mut *conn)
+        .await
+        .unwrap();
+    let b2 = insert_basic(&mut conn, false).await;
+    TokenTransfer::create_grant(&b2, &make_settings(Some(RECIPIENT), Some(2_000)), &mut *conn)
+        .await
+        .unwrap();
+
+    let all = TokenTransfer::find_all_grants(&mut *conn).await.unwrap();
+    assert_eq!(all.len(), 2);
+}

useragent/.dart_tool/extension_discovery/README.md

@@ -0,0 +1,31 @@
+Extension Discovery Cache
+=========================
+
+This folder is used by `package:extension_discovery` to cache lists of
+packages that contains extensions for other packages.
+
+DO NOT USE THIS FOLDER
+----------------------
+
+ * Do not read (or rely) the contents of this folder.
+ * Do write to this folder.
+
+If you're interested in the lists of extensions stored in this folder use the
+API offered by package `extension_discovery` to get this information.
+
+If this package doesn't work for your use-case, then don't try to read the
+contents of this folder. It may change, and will not remain stable.
+
+Use package `extension_discovery`
+---------------------------------
+
+If you want to access information from this folder.
+
+Feel free to delete this folder
+-------------------------------
+
+Files in this folder act as a cache, and the cache is discarded if the files
+are older than the modification time of `.dart_tool/package_config.json`.
+
+Hence, it should never be necessary to clear this cache manually, if you find a
+need to do please file a bug.

useragent/.dart_tool/extension_discovery/vs_code.json

@@ -0,0 +1 @@
+{"version":2,"entries":[{"package":"arbiter","rootUri":"../","packageUri":"lib/"}]}

useragent/.dart_tool/package_config.json

@@ -0,0 +1,172 @@
+{
+  "configVersion": 2,
+  "packages": [
+    {
+      "name": "async",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/async-2.13.0",
+      "packageUri": "lib/",
+      "languageVersion": "3.4"
+    },
+    {
+      "name": "boolean_selector",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/boolean_selector-2.1.2",
+      "packageUri": "lib/",
+      "languageVersion": "3.1"
+    },
+    {
+      "name": "characters",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/characters-1.4.0",
+      "packageUri": "lib/",
+      "languageVersion": "3.4"
+    },
+    {
+      "name": "clock",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/clock-1.1.2",
+      "packageUri": "lib/",
+      "languageVersion": "3.4"
+    },
+    {
+      "name": "collection",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/collection-1.19.1",
+      "packageUri": "lib/",
+      "languageVersion": "3.4"
+    },
+    {
+      "name": "fake_async",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/fake_async-1.3.3",
+      "packageUri": "lib/",
+      "languageVersion": "3.3"
+    },
+    {
+      "name": "flutter",
+      "rootUri": "file:///Users/kaska/.local/share/mise/installs/flutter/3.38.9-stable/packages/flutter",
+      "packageUri": "lib/",
+      "languageVersion": "3.8"
+    },
+    {
+      "name": "flutter_lints",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/flutter_lints-6.0.0",
+      "packageUri": "lib/",
+      "languageVersion": "3.8"
+    },
+    {
+      "name": "flutter_test",
+      "rootUri": "file:///Users/kaska/.local/share/mise/installs/flutter/3.38.9-stable/packages/flutter_test",
+      "packageUri": "lib/",
+      "languageVersion": "3.8"
+    },
+    {
+      "name": "leak_tracker",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/leak_tracker-11.0.2",
+      "packageUri": "lib/",
+      "languageVersion": "3.2"
+    },
+    {
+      "name": "leak_tracker_flutter_testing",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/leak_tracker_flutter_testing-3.0.10",
+      "packageUri": "lib/",
+      "languageVersion": "3.2"
+    },
+    {
+      "name": "leak_tracker_testing",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/leak_tracker_testing-3.0.2",
+      "packageUri": "lib/",
+      "languageVersion": "3.2"
+    },
+    {
+      "name": "lints",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/lints-6.1.0",
+      "packageUri": "lib/",
+      "languageVersion": "3.8"
+    },
+    {
+      "name": "matcher",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/matcher-0.12.17",
+      "packageUri": "lib/",
+      "languageVersion": "3.4"
+    },
+    {
+      "name": "material_color_utilities",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/material_color_utilities-0.11.1",
+      "packageUri": "lib/",
+      "languageVersion": "2.17"
+    },
+    {
+      "name": "meta",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/meta-1.17.0",
+      "packageUri": "lib/",
+      "languageVersion": "3.5"
+    },
+    {
+      "name": "path",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/path-1.9.1",
+      "packageUri": "lib/",
+      "languageVersion": "3.4"
+    },
+    {
+      "name": "sky_engine",
+      "rootUri": "file:///Users/kaska/.local/share/mise/installs/flutter/3.38.9-stable/bin/cache/pkg/sky_engine",
+      "packageUri": "lib/",
+      "languageVersion": "3.8"
+    },
+    {
+      "name": "source_span",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/source_span-1.10.2",
+      "packageUri": "lib/",
+      "languageVersion": "3.1"
+    },
+    {
+      "name": "stack_trace",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/stack_trace-1.12.1",
+      "packageUri": "lib/",
+      "languageVersion": "3.4"
+    },
+    {
+      "name": "stream_channel",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/stream_channel-2.1.4",
+      "packageUri": "lib/",
+      "languageVersion": "3.3"
+    },
+    {
+      "name": "string_scanner",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/string_scanner-1.4.1",
+      "packageUri": "lib/",
+      "languageVersion": "3.1"
+    },
+    {
+      "name": "term_glyph",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/term_glyph-1.2.2",
+      "packageUri": "lib/",
+      "languageVersion": "3.1"
+    },
+    {
+      "name": "test_api",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/test_api-0.7.7",
+      "packageUri": "lib/",
+      "languageVersion": "3.5"
+    },
+    {
+      "name": "vector_math",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/vector_math-2.2.0",
+      "packageUri": "lib/",
+      "languageVersion": "3.1"
+    },
+    {
+      "name": "vm_service",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/vm_service-15.0.2",
+      "packageUri": "lib/",
+      "languageVersion": "3.5"
+    },
+    {
+      "name": "arbiter",
+      "rootUri": "../",
+      "packageUri": "lib/",
+      "languageVersion": "3.10"
+    }
+  ],
+  "generator": "pub",
+  "generatorVersion": "3.10.8",
+  "flutterRoot": "file:///Users/kaska/.local/share/mise/installs/flutter/3.38.9-stable",
+  "flutterVersion": "3.38.9",
+  "pubCache": "file:///Users/kaska/.pub-cache"
+}

useragent/.dart_tool/package_graph.json

@@ -0,0 +1,224 @@
+{
+  "roots": [
+    "arbiter"
+  ],
+  "packages": [
+    {
+      "name": "arbiter",
+      "version": "0.1.0",
+      "dependencies": [
+        "flutter"
+      ],
+      "devDependencies": [
+        "flutter_lints",
+        "flutter_test"
+      ]
+    },
+    {
+      "name": "flutter_lints",
+      "version": "6.0.0",
+      "dependencies": [
+        "lints"
+      ]
+    },
+    {
+      "name": "flutter_test",
+      "version": "0.0.0",
+      "dependencies": [
+        "clock",
+        "collection",
+        "fake_async",
+        "flutter",
+        "leak_tracker_flutter_testing",
+        "matcher",
+        "meta",
+        "path",
+        "stack_trace",
+        "stream_channel",
+        "test_api",
+        "vector_math"
+      ]
+    },
+    {
+      "name": "flutter",
+      "version": "0.0.0",
+      "dependencies": [
+        "characters",
+        "collection",
+        "material_color_utilities",
+        "meta",
+        "sky_engine",
+        "vector_math"
+      ]
+    },
+    {
+      "name": "lints",
+      "version": "6.1.0",
+      "dependencies": []
+    },
+    {
+      "name": "stream_channel",
+      "version": "2.1.4",
+      "dependencies": [
+        "async"
+      ]
+    },
+    {
+      "name": "meta",
+      "version": "1.17.0",
+      "dependencies": []
+    },
+    {
+      "name": "collection",
+      "version": "1.19.1",
+      "dependencies": []
+    },
+    {
+      "name": "leak_tracker_flutter_testing",
+      "version": "3.0.10",
+      "dependencies": [
+        "flutter",
+        "leak_tracker",
+        "leak_tracker_testing",
+        "matcher",
+        "meta"
+      ]
+    },
+    {
+      "name": "vector_math",
+      "version": "2.2.0",
+      "dependencies": []
+    },
+    {
+      "name": "stack_trace",
+      "version": "1.12.1",
+      "dependencies": [
+        "path"
+      ]
+    },
+    {
+      "name": "clock",
+      "version": "1.1.2",
+      "dependencies": []
+    },
+    {
+      "name": "fake_async",
+      "version": "1.3.3",
+      "dependencies": [
+        "clock",
+        "collection"
+      ]
+    },
+    {
+      "name": "path",
+      "version": "1.9.1",
+      "dependencies": []
+    },
+    {
+      "name": "matcher",
+      "version": "0.12.17",
+      "dependencies": [
+        "async",
+        "meta",
+        "stack_trace",
+        "term_glyph",
+        "test_api"
+      ]
+    },
+    {
+      "name": "test_api",
+      "version": "0.7.7",
+      "dependencies": [
+        "async",
+        "boolean_selector",
+        "collection",
+        "meta",
+        "source_span",
+        "stack_trace",
+        "stream_channel",
+        "string_scanner",
+        "term_glyph"
+      ]
+    },
+    {
+      "name": "sky_engine",
+      "version": "0.0.0",
+      "dependencies": []
+    },
+    {
+      "name": "material_color_utilities",
+      "version": "0.11.1",
+      "dependencies": [
+        "collection"
+      ]
+    },
+    {
+      "name": "characters",
+      "version": "1.4.0",
+      "dependencies": []
+    },
+    {
+      "name": "async",
+      "version": "2.13.0",
+      "dependencies": [
+        "collection",
+        "meta"
+      ]
+    },
+    {
+      "name": "leak_tracker_testing",
+      "version": "3.0.2",
+      "dependencies": [
+        "leak_tracker",
+        "matcher",
+        "meta"
+      ]
+    },
+    {
+      "name": "leak_tracker",
+      "version": "11.0.2",
+      "dependencies": [
+        "clock",
+        "collection",
+        "meta",
+        "path",
+        "vm_service"
+      ]
+    },
+    {
+      "name": "term_glyph",
+      "version": "1.2.2",
+      "dependencies": []
+    },
+    {
+      "name": "string_scanner",
+      "version": "1.4.1",
+      "dependencies": [
+        "source_span"
+      ]
+    },
+    {
+      "name": "source_span",
+      "version": "1.10.2",
+      "dependencies": [
+        "collection",
+        "path",
+        "term_glyph"
+      ]
+    },
+    {
+      "name": "boolean_selector",
+      "version": "2.1.2",
+      "dependencies": [
+        "source_span",
+        "string_scanner"
+      ]
+    },
+    {
+      "name": "vm_service",
+      "version": "15.0.2",
+      "dependencies": []
+    }
+  ],
+  "configVersion": 1
+}

useragent/.dart_tool/version

@@ -0,0 +1 @@
+3.38.9

useragent/macos/Flutter/ephemeral/Flutter-Generated.xcconfig

@@ -0,0 +1,11 @@
+// This is a generated file; do not edit or check into version control.
+FLUTTER_ROOT=/Users/kaska/.local/share/mise/installs/flutter/3.38.9-stable
+FLUTTER_APPLICATION_PATH=/Users/kaska/Documents/Projects/Major/arbiter/useragent
+COCOAPODS_PARALLEL_CODE_SIGN=true
+FLUTTER_BUILD_DIR=build
+FLUTTER_BUILD_NAME=0.1.0
+FLUTTER_BUILD_NUMBER=0.1.0
+DART_OBFUSCATION=false
+TRACK_WIDGET_CREATION=true
+TREE_SHAKE_ICONS=false
+PACKAGE_CONFIG=.dart_tool/package_config.json

useragent/macos/Flutter/ephemeral/flutter_export_environment.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+# This is a generated file; do not edit or check into version control.
+export "FLUTTER_ROOT=/Users/kaska/.local/share/mise/installs/flutter/3.38.9-stable"
+export "FLUTTER_APPLICATION_PATH=/Users/kaska/Documents/Projects/Major/arbiter/useragent"
+export "COCOAPODS_PARALLEL_CODE_SIGN=true"
+export "FLUTTER_BUILD_DIR=build"
+export "FLUTTER_BUILD_NAME=0.1.0"
+export "FLUTTER_BUILD_NUMBER=0.1.0"
+export "DART_OBFUSCATION=false"
+export "TRACK_WIDGET_CREATION=true"
+export "TREE_SHAKE_ICONS=false"
+export "PACKAGE_CONFIG=.dart_tool/package_config.json"